1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
#!/usr/bin/env ruby
#
# = Synopsis
#
# Stand-alone certificate authority. Capable of generating certificates
# but mostly meant for signing certificate requests from puppet clients.
#
# = Usage
#
# puppet cert [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
# [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke]
# [-p|--print] [-c|--clean] [--verify] [--digest DIGEST]
# [--fingerprint] [host]
#
# = Description
#
# Because the puppetmasterd daemon defaults to not signing client certificate
# requests, this script is available for signing outstanding requests. It
# can be used to list outstanding requests and then either sign them individually
# or sign all of them.
#
# = Options
#
# Note that any configuration parameter that's valid in the configuration file
# is also a valid long argument. For example, 'ssldir' is a valid configuration
# parameter, so you can specify '--ssldir <directory>' as an argument.
#
# See the configuration file documentation at
# http://reductivelabs.com/projects/puppet/reference/configref.html for
# the full list of acceptable parameters. A commented list of all
# configuration options can also be generated by running puppet cert with
# '--genconfig'.
#
# all::
# Operate on all items. Currently only makes sense with '--sign',
# '--clean', or '--list'.
#
# digest::
# Set the digest for fingerprinting (defaults to md5). Valid values depends
# on your openssl and openssl ruby extension version, but should contain at
# least md5, sha1, md2, sha256.
#
# clean::
# Remove all files related to a host from puppet cert's storage. This is
# useful when rebuilding hosts, since new certificate signing requests
# will only be honored if puppet cert does not have a copy of a signed
# certificate for that host. The certificate of the host remains valid.
# If '--all' is specified then all host certificates, both signed and
# unsigned, will be removed.
#
# debug::
# Enable full debugging.
#
# generate::
# Generate a certificate for a named client. A certificate/keypair will be
# generated for each client named on the command line.
#
# help::
# Print this help message
#
# list::
# List outstanding certificate requests. If '--all' is specified,
# signed certificates are also listed, prefixed by '+', and revoked
# or invalid certificates are prefixed by '-' (the verification outcome
# is printed in parenthesis).
#
# print::
# Print the full-text version of a host's certificate.
#
# fingerprint::
# Print the DIGEST (defaults to md5) fingerprint of a host's certificate.
#
# revoke::
# Revoke the certificate of a client. The certificate can be specified
# either by its serial number, given as a decimal number or a hexadecimal
# number prefixed by '0x', or by its hostname. The certificate is revoked
# by adding it to the Certificate Revocation List given by the 'cacrl'
# config parameter. Note that the puppetmasterd needs to be restarted
# after revoking certificates.
#
# sign::
# Sign an outstanding certificate request. Unless '--all' is specified,
# hosts must be listed after all flags.
#
# verbose::
# Enable verbosity.
#
# version::
# Print the puppet version number and exit.
#
# verify::
# Verify the named certificate against the local CA certificate.
#
# = Example
#
# $ puppet cert -l
# culain.madstop.com
# $ puppet cert -s culain.madstop.com
#
# = Author
#
# Luke Kanies
#
# = Copyright
#
# Copyright (c) 2005 Reductive Labs, LLC
# Licensed under the GNU Public License
require 'puppet/application/cert'
Puppet::Application[:cert].run
|